New York Attorney General Fines Practicefirst $550K For Failure to Protect Health Records

It appears that the New York Attorney General Letitia James is becoming more aggressive regarding the protection of health records. On May 25, 2023 AG Letitia James fined practice management vendor Practicefirst $550,000 to resolve data security failures stemming from a 2020 data breach that impacted 1.2 million individuals.

As outlined by HealthSecurity.com, the “New York-based Practicefirst suffered a data breach in November 2020 when a hacker exploited a critical firewall vulnerability and later deployed ransomware. The hacker successfully copied files from Practicefirst’s system that contained patient and employee information, including dates of birth, driver’s license numbers, social security numbers, diagnoses, medication information, and financial information.

Days later, screenshots containing personal information of 13 consumers were discovered on the dark web, the New York Attorney General’s Office stated. What’s more, the information was not encrypted.

The Office of the Attorney General (OAG) determined that Practicefirst failed to maintain reasonable data security practices to protect patients’ private and health information, including by failing to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers,” the notice continued.

Practicefirst will have to pay $550,000 in penalties and offer credit monitoring services to impacted consumers free of charge. In addition, the company will be required to implement a variety of measures to improve its security practices, including encrypting health information and adopting appropriate authentication procedures.

In addition to the $550,00 fine and providing credit monitoring services, they must also “implement a patch management solution, maintain and regularly update a comprehensive information security program, develop a vulnerability management program, and update its data collection, retention, and disposal practices.

Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.”

Recall a previous article, The OCR Releases Video on Recognized Security Practices Under HITECH outlined recognized security practices that the Office of Civil Rights (OCR) and Attorney General’s must be taken into consideration when determining penalties for a breach. Had Practicefirst implemented these security practices they may have avoided the steep fine and the cost associated with providing free credit monitoring services to impacted consumers.

Leave a Reply